DPC issues important message on personal data transfers to and from the UK in event of a 'no deal' Brexit

Personal Data Transfers to and from the UK in the event of a ‘no deal’ Brexit – important message for any organisation or body that transfers personal data to the UK, including Northern Ireland

December 2018

This preliminary guidance is relevant for any Irish entities that have data processing operations that involve transfers of personal data to the UK. In the event of a ‘no deal’ UK exit from the EU, those entities will require a transfer mechanism to be in place from 30 March 2019 in order to continue to lawfully transfer personal data to the UK.

Under EU data protection law, free movement of personal data is guaranteed between EU member states. Where transfers of personal data are made to a recipient outside the European Economic Area, these are considered to be a transfer to a “third country” and require additional safeguards to be put in place in order to ensure continued application of the EU’s data protection standards.

In the event of a ‘no deal’ Brexit, i.e. where the UK leaves the EU at 00.00am CET on 30 March 2019 without the Withdrawal Agreement, the UK will become a “third country” for the purposes of EU personal data transfers. This will have repercussions for all organisations and bodies trading with or doing any other kind of business or correspondence with entities in the UK, including Northern Ireland. This is because personal data transfers to the UK will require the implementation of legal safeguards by the Irish-based organisations and bodies that are transferring the personal data. For example, if an Irish company currently outsources its payroll to a UK processor, legal safeguards for the personal data transferred to the UK will be required. If an Irish government body uses a cloud provider based in the UK, it will also require similar legal safeguards.  The same will apply to a sports organisation with an administrative office in Northern Ireland that adminsters membership details for all members in Ireland and Northern Ireland. Some organisations and bodies in Ireland will already be familiar with the legal transfer mechanisms available for the transfer of personal data to recipients outside of the EU, as they will already be transferring to the USA or India, for example.

Data flows from Ireland to the UK after March 2019 if there is no deal

As of the withdrawal date, the EU rules[1] for transfer of personal data to third countries will apply to the UK.

The EU Commission’s website outlines the legal mechanisms that can be used to underpin transfers from an EU member state to a third country. For some countries, the EU Commission has recognised their data protection regime as “adequate” (such as Israel and Argentina). The effect of such recognition or “adequacy decision” is that personal data can flow from the EEA to that third country without any further safeguard being necessary. However, no such recognition of the UK regime will be in place by the end of March 2019.

The most commonly used alternative mechanism for transfers is standard or model contractual clauses approved by the EU Commission that implement contractual safeguards between the data exporter and importer.

Further information on legal mechanisms for the transfer of personal data to third countries is available on European Commission’s website:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_en

The Data Protection Commission website also contains further information on the transfer mechanisms and derogations for specific situations at the following link.

Data flows from the UK to the EU after March 2019

According to the UK Government, the current practice, which permits  personal data to flow freely from the UK to the EU member states, will continue in the event of a ‘no deal’ Brexit.

Data flows from the UK to non-EU countries after March 2019

In addition, the UK will implement a legal mechanism akin to standard or model contractual clauses that mirrors that of the EU in order to facilitate transfers from the UK to recipients in countries outside the EU. It will also recognise as ‘adequate’ the countries already recognised as adequate by the EU.

https://www.gov.uk/government/publications/data-protection-law-eu-exit/amendments-to-uk-data-protection-law-in-the-event-the-uk-leaves-the-eu-without-a-deal-on-29-march-2019

Next steps to consider for organisations transferring data to the UK, including Northern Ireland

• Map the personal data being transferred to the UK currently.
• Determine if the transfers will need to continue beyond 30 March 2019.
• If this is the case, then assess the various transfer mechanisms to decide which one best suits the situation and work towards having it in place before 30 March 2019.

Information and guidance from the DPC, the EU Commission and the UK Government will be updated as the withdrawal date nears, so the relevant websites should be checked regularly.

[1] Chapter V GDPR – This chapter covers transfers of personal data to third counties or international organisations.